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‘The Legislative Audit Committee 
of the Montana State Legislature: 


This is our information systems audit of the Montana Automated Educational Finance 
and Information Reporting System (MAEFAIRS) managed by the School Finance 
Division of the Office of Public Instruction. 


This report provides the Legislature information on the reliability of the data 
contained within, along with the accuracy of the entitlement calculations performed 
by MAEFAIRS. This report includes recommendations for enhancing general controls 
related to access, security, configuration management, and disaster recovery at the 
Office of Public Instruction. 


We wish to express our appreciation to the personnel from the Office of Public 
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INFORMATION SYSTEMS AUDIT 
Data Reliability of the Montana Automated 


Educational Finance and Information 


Reporting System (MAEFAIRS) 
Office of Public Instruction 


MOoNntTANA LEGISLATIVE AUDIT DIVISION 


14DP-02 REPORT SUMMARY 


In fiscal year 2014, MAEFAIRS was responsible for allocating $772 million 
in state funding to over 400 Montana school districts. While MAEFAIRS 
accurately calculates entitlements, the Office of Public Instruction could 


make improvements in system access, security, configuration management, 


and disaster recovery to ensure that business process controls continue to 


operate effectively. 


Context 


MAEFAIRS was created 20 years ago to support 
the Office of Public Instruction (OPI) in 
calculating entitlements to school districts and 
special education co-ops based on reporting of 
enrollment, number of educators and licensed 
professionals, and number of American Indian 
Students. MAEFAIRS obtains information 
from two other sources—the Achievement 
in Montana system for student enrollment 
and the Terms of Employment Accreditation 
Master Schedule system for school district 
employment—along with data entered by over 
370 users dispersed among the state’s school 
district. OPI personnel estimate there are 
approximately 200 calculations performed 
within the system. MAEFAIRS does not 
specifically distribute the monies to the school 
districts and co-ops. This is accomplished by 
the Payment system, which is also managed by 
OPI and directly interfaces with MAEFAIRS. 


‘The audit team inspected general and business 
process controls associated with MAEFAIRS 
to determine the level of reliability of both the 
input and output data. The interface between 
MAEFAIRS and the Payment system was also 
examined. 


Results 


From the audit work conducted, we conclude 
OPI has established both internal and 
external controls associated with MAEFAIRS. 
The business process and interface controls 
implemented by OPI, both automated and 
manual, provide assurance that education 
entitlements are accurate, valid, and secure. 
However, the following general controls 
could be strengthened: 


¢ — User access control procedures 
¢ — Information security program plan 


¢ Configuration documentation and 
management plan 


¢ Disaster recovery testing 


Recommendation Concurrence 


Source: Agency audit response included in 
final report. 


For a complete copy of the report (14DP-02) or for further information, contact the 
Legislative Audit Division at 406-444-3122; e-mail to lad@mt.gov; or check the web site at 


http://leg.mt.gov/audit 


Report Fraud, Waste, and Abuse to the Legislative Auditor's FRAUD HOTLINE 
Call toll-free 1-800-222-4446, or e-mail ladhotline@mt.gov. 
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Chapter | — Introduction and Background 


Introduction 


The Office of Public Instruction (OPI) is responsible for distributing approximately 
$1 billion dollars (fiscal year 2014) to Montana’s school districts. Of that amount, 
approximately $700 million came from the state general fund. OPI utilizes the 
Montana Automated Educational Finance and Information Reporting System 
(MAEFAIRS) for gathering school district budgets, annual revenue and expenditure 
reports, and other financial data to calculate entitlement amounts. The School Finance 
Division is in charge of monitoring and maintaining MAEFAIRS, with assistance 
provided by OPI’s Information Technology Services Division. The magnitude of the 
entitlements calculated by MAEFAIRS raises interest for an examination of system 
controls associated with providing a level of surety that these entitlements are accurate. 


Background 


When discussing school district budgets, most of the attention is focused towards the 
state’s general fund used primarily to finance instructional, administrative, facility 
maintenance, and other operational costs of a district not financed by other special 
purpose funds. The general fund budget has minimum and maximum levels that are 
calculated based on state entitlements. MAEFAIRS was created in 1994 to support 
OPI in calculating these entitlements to school districts and special education co-ops 
based on reporting of enrollment, number of educators and licensed professionals, 
and number of American Indian students. MAEFAIRS obtains information from 
two other sources — the Achievement in Montana system for enrollment and the 
Terms of Employment Accreditation Master Schedule system for employment. OPI 
personnel estimate there are between 150-250 calculations performed within the 
system. MAEFAIRS does not directly distribute the monies to the school districts and 
co-ops. This is accomplished by another OPI system that MAEFAIRS interfaces with. 
Users with access to MAEFAIRS are county/district clerks and occasionally school 
superintendents if they are responsible for the budget. 


Audit Scope and Objectives 


The scope of this audit focused on the reliability of MAEFAIRS to collect and 
accurately process data for calculating entitlements to Montana school districts. The 
following were the objectives of the audit: 


1. Ensure input controls are established and tested within MAEFAIRS to 


effectively minimize erroneous data. 


2. Determine whether controls are in place to ensure calculations within 
MAEFAIRS are accurate. 
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3. Examine the interface controls between MAEFAIRS and the Payment 
system. 


4, Verify whether change controls exist for any additions and edits made to 


MAEFAIRS. 


5. Determine whether disaster recovery procedures are established for 
MAEFAIRS and tested on a routine basis. 


Methodology 


The following is a general overview of the areas examined and the work performed 
during the course of the audit: 


¢ Conducted interviews with staff from OPI and various school districts. 
¢ Examined system access controls. 


¢ Observed testing conducted by OPI staff to ensure internal data validations 
and screen edits are operating effectively. 


¢ — Verified the accuracy of the calculations performed by MAEFAIRS along 
with the OPI budget testing spreadsheet. 


¢ Reviewed agency processes for making changes to programming language 
within MAEFAIRS. 


¢ Examined access controls associated with the Payment system. 


¢ — Inquired about how changes to entitlements within the Payment system are 
accomplished and recorded. 


¢ Reviewed disaster recovery plan for MAEFAIRS. 


Audit Criteria 


The Department of Administration’s State Information Technology Services 
Division (SITSD) uses the publications from the National Institute of Standards and 
Technology (NIST) as the basis for information technology policies and standards 
within the Montana Operations Manual, specifically NIST 800-53 regarding security 
and privacy controls. Throughout this audit report, there will be occasional references 
to state policy which directly reflect NIST standards and guidelines. 


Audit Summary 


Based on our review, there are controls established in and around MAEFAIRS that 
ensure a level of accuracy with the data entered and the calculations performed. The 
Payment system securely interfaces with MAEFAIRS to obtain entitlements in order 
to distribute payments to school districts. In addition, while steps have been taken 
to provide reliable and relatively seamless disaster recovery capabilities, the testing 
of these capabilities could be improved. Access control, the security program, and 
configuration management were other areas that could be strengthened as well. 


Chapter Il - MAEFAIRS Business Processes 


Introduction 


Business Process controls are the automated and/or manual controls applied to business 
transaction flows that relate to the completeness, accuracy, validity and confidentiality 
of transactions and data during information processing. Automated controls are 
system-based, such as internal edits and validations used to ensure the correctness or 
accuracy of data entered. Manual controls are those that require human intervention; 
for example, the approval of transactions. For this audit of the Montana Automated 
Educational Finance and Information Reporting System (MAEFAIRS), we examined 
controls related to the validity of the input data and the completeness and accuracy 
of the entitlement calculations, for which both automated and manual controls are 


employed by the Office of Public Instruction (OPI). 


Interfaces stem from the exchange of data between two computer applications, which 
may or may not reside on the same physical environment. Interface controls are the 
controls that reside over the timely, accurate, and complete processing of information 
between applications and other feeder and receiving systems on an ongoing basis. 
MAEFAIRS interfaces with a number of systems, such as the automated data import 
from Achievement in Montana and Terms of Employment, Accreditation, and Master 
Schedule. For the scope of this audit, we focused on the interface between MAEFAIRS 
and the Payment System, which calculates the actual dollar values issued to the 
school districts (entitlements). The Payment System factors in not only entitlement 
data calculated in MAEFAIRS, but information from other external systems, such as 
the Transportation application which calculates the funding for school buses in the 
districts. The migration of data between MAEFAIRS and Payment will be covered 
later in this chapter. 


Validation of Input Data 


We examined the process for manually entering information into MAEFAIRS and 
the controls that support the validity of that information. The audit team observed 
the system-user interface and tested its ease of use via the test database. The system 
is relatively user-friendly, with embedded prompts that walk you through the process 
of entering district information for entitlements. Known constants, such as figures 
set by the legislature, are fixed and cannot be changed. Also, edits and validations 
are programmed into MAEFAIRS to assist users with entering data. In the case that 
a question or concern arises, staff from the School Finance Division are available to 
assist. We spoke to users from several districts to obtain their perspectives on how 
MAEFAIRS operates. Of the school districts interviewed, it was unanimous that 
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the system works effectively and as intended, and when problems do arise, they are 
addressed in a timely fashion. 


The staff from the School Finance Division conducts internal testing of MAEFAIRS 
to not only establish a configuration baseline, but to also confirm that all the edits and 
validations are working properly. The testers essentially attempt to “break” the system 
or find ways to enter irrelevant data without discovery by MAEFAIRS. The team is 
provided testing guidelines to help them through the process and to ensure all steps are 
accomplished for every school district in the state. Team meetings are called to discuss 
progress, along with documenting testing results. We observed one of these testing 
meetings, which included all available staff from the School Finance Division. 


ea 
CONCLUSION 


The Office of Public Instruction has established and continually tests input 
controls for the Montana Automated Educational Finance and Information 
Reporting System that effectively minimize erroneous data. 


Completeness and Accuracy of Entitlements 


There are numerous calculations performed by MAEFAIRS. An exact number could 
not be determined from interviews; however, it was estimated at approximately 
200 calculations. Many of these calculations are dynamic—changing with each 
biennium, or possibly every year. This requires continued vigilance by the School 
Finance Division in order to provide assurance that these calculations are accurate 
and, in turn, entitlements allocated to the school districts are correct. To accomplish 
this, the School Finance Division provides tools to assist the districts with calculating 
their average number belonging (ANB), along with checking the entitlements 
calculated and eventually allocated. In addition, the School Finance Division confirms 
entitlement calculations for all school districts. The division initially completed only 
“spot checks” of a few selected districts for quality assurance purposes. They realized 
this was a critical step in managing the program and a valuable compensating control 
of an information system that is continually being modified. The division developed 
a state-wide spreadsheet that checks calculations performed by both the test and 
production databases of MAEFAIRS. Actual data, entered by school districts, is 
downloaded into the spreadsheet for entitlement verification. Figure 1 (see page 5) 
illustrates the process. 


Figure 1 
School Finance Division Verification of MAEFAIRS 


TEST 


Pull tables from 
test database and 
perform 
calculations 


Compare 
preadsheet to test 
database 


Data copied 
from 
production 
to test 


Code changes 
moved from test to 
production 


School 
Finance 


Pull tables from Compare 
production spreadsheet to 


database and production 
perform database 


calculations 


PRODUCTION 


Source: Compiled by the Legislative Audit Division from OPI interviews. 


While the spreadsheet is used as a tool to check the test database after changes have been 
made, it is also used to confirm that code changes were properly moved to production. 
We obtained and analyzed the spreadsheet used by the division. We compared 
MAEFAIRS code to spreadsheet calculations for ANB and noted no differences. We 
also analyzed verification results. Our review determined this is a positive control to 
help ensure MAEFAIRS is accurately calculating school district entitlements. 


Ia 
CONCLUSION 


The Office of Public Instruction has employed effective business process 
controls that ensure entitlement calculations performed by the Montana 
Automated Educational Finance and Information Reporting System are 
accurate. 
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Migration of Data to Payment System 


The interface between MAEFAIRS and the Payment system (Payment) is essentially 
one-way. Payment pulls data from MAEFAIRS to calculate funds allocated, but 
MAEFAIRS does not require any information from Payment to perform entitlement 
calculations. Even though the process is automated, the School Finance Division has 
the capability to access Payment to make adjustments if funds need to be recouped 
from the previous school year. Since this access introduces a level of risk to the 
completeness and accuracy of the information contained within Payment, controls 
have been implemented to oversee and approve the transactions created in Payment. 
Access to Payment is restricted to staff of the School Finance Division. In similar 
fashion as MAEFAIRS, individuals have to complete a user request form requiring 
approval from the administrator of the School Finance Division in order to gain 
access. Roles are assigned to each user, and the access list is much smaller and more 
tightly controlled than the access to MAEFAIRS due to the nature of the system 
and the number of individuals requiring access. The financial specialist is responsible 
for initiating payments. In addition, this individual can make adjustments to either 
entitlements within MAEFAIRS or payments within Payment if so required. Payment 
transactions are then combined 
into a single batch file. This file 


is approved by the administrator 


Figure 2 
School Finance Division Payment Processin 


Entitlement 


of the School Finance Division, iit 


Payment Calculation Funds Distribution 


or the second in charge, the 
financial specialist supervisor. 
Since there are payments that 


go out each month, twice a 
Other Systems School Finance 


year the administrator or the 


Data for payment 
calculation 


supervisor will step into the role 


Initiate payments 
for approval 


of the financial specialist and 
create the payment transactions. 
Figure 2 helps explain the steps 


for processing payments. 


There is no automated interface 
the 


Payments 


between Payment and 
depository — bank. 
are manually entered into the 
system utilized by the bank 
to deposit funds, ACH Single 


Point. Reports are generated 
from both Payment and ACH 


MAEFAIRS. 


Entitlement adjustment 
(if needed) 


Financial Specialist 


Payment 


Payment adjustment 
(if needed) 


Financial Specialist 


Financial Specialist 


Payments generated 
(after approval) 


School Districts 


Source: Compiled by the Legislative Audit Division from 
OPI interviews. 


Single Point. Both of these reports are compared by the School Finance Division to 
ensure payments between the two systems correspond. From the information gathered 
pertaining to access to Payment and the data therein, we determined that controls are 


in place to ensure payments calculated are accurate with regards to entitlements. 


Be 


CONCLUSION 


The Office of Public Instruction has implemented interface controls 
between the Montana Automated Educational Finance and Information 


Reporting System and the Payment system, and these controls are working 
appropriately. 
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Introduction 


General controls are the policies and procedures that apply to all or a large segment of 
an entity’s information systems and help ensure proper operation. These controls are 
applicable at the entity-wide, system, and application levels. For the purpose of this 
audit, controls were primarily examined at the system level. If general controls are 
inadequate, they can essentially hinder the effectiveness of business process controls, 
which were discussed in the previous chapter. This chapter addresses general controls 
which include access, security, configuration management, and contingency planning. 


Access Control 


By implementing access controls to information system resources, data owners minimize 
the risk of unauthorized access to data, equipment, and facilities. Access controls work 
closely with input controls in providing a level of surety that erroneous data has not 
been entered into the system. Thus, in accordance with the audit objectives, access 
was examined by the audit team. The process for obtaining access to the Montana 
Automated Educational Finance and Information Reporting System (MAEFAIRS) 
is similar to other Office of Public Instruction (OPI) information systems. A call is 
placed to the OPI help desk by the requestor, which is then forwarded to the School 
Finance Division. The requestor is then instructed to complete the user access form 
and return it to OPI. Once School Finance receives the form, a user role is assigned 
to the requestor and annotated on the form, which is then sent to the Information 
Systems Security Analyst at OPI to create the account and archive the form. Once the 
account has been created, the Information Systems Security Analyst sends an email to 
the user with a username and temporary password along with the role assigned. Roles 
depend on the responsibility of the user, and many users require multiple roles. Other 
than this email, all communication with the end user is done through the School 
Finance Division. If any changes to a user account are necessary, they would also be 


directed to division management. 


Examination of Users 


We requested a list of the user accounts within MAEFAIRS, which primarily included 
school district superintendents, clerks, and business managers. A much smaller number 
of user accounts belonged to staff from the School Finance Division in OPI. From this 
list, we determined there were a total of 374 users with access to MAEFAIRS. Of this 
total, 185 users were assigned more than one user role. There are 15 different roles 
available to be assigned to users in MAEFAIRS. The following is a breakout of the 
most common MAEFAIRS roles and the percentage of users assigned: 
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¢ Compensation/Expenditures = 19 percent 
¢ Budget = 19 percent 

¢ Enrollment = 19 percent 

¢ Trustee Financial Statement = 19 percent 
¢ Tuition = 17 percent 


¢ = All other roles = 6 percent 


We analyzed the list of user accounts and identified users who had not logged into 
MAEFAIRS for more than 12 months. Of these users, ten were identified as not 
logging in since 2012. Further investigation discovered that of these ten individuals, 
six users no longer required access to MAEFAIRS due to employment changes. State 
policy requires an internal user with access to state information systems must notify 
the data owner when his/her employment status changes. In this case, internal users 
include school district employees with access to MAEFAIRS. Not all of the internal 
users are providing the required notification of employment change to the data owner. 
It is the responsibility of the data owner, essentially the School Finance Division, to 
periodically review and maintain an up-to-date user access list. There are measures 
that can be taken to assist in minimizing unauthorized access, such as including 
instructions on the access form to contact OPI in the case that access is no longer 
required, or to set up the system to lock accounts that have not been accessed for a 
given amount of time. In the case an unauthorized individual continues to gain access 
to the system, erroneous enrollment data could be entered or existing data could be 
altered that would affect entitlement calculations and potentially require additional 
resources to correct. For example, if a former school district employee was still able to 
access the system, and became disgruntled towards the district, he or she could alter 
enrollment information to negatively impact the entitlements allocated to that district. 


SSS 


RECOMMENDATION #1 


We recommend the Office of Public Instruction implement procedures for 
ensuring only authorized individuals have access to the Montana Automated 
Educational Finance and Information Reporting System. 


OT 


Security Management 


Developing and maintaining a security program is required by statute. Section 2-15-114, 
MCA, states each department head is responsible for developing and maintaining 
written internal policies and procedures to ensure security of data. In support of this 


law, state policy requires agencies to implement an information security program which 
is aligned with the security program guidance of the Federal Information Security 
Management Act (FISMA) and National Institute of Standards and Technology 
(NIST). A security program is defined as an organization-wide program that addresses 
information security for the information and systems that support the operations 
and assets of the organization, including those provided or managed by another 
organization, contractor, or other source. We determined during the assessment of 
MAEFAIRS that security documentation in support of a security program were either 
nonexistent or incomplete according to state policy and industry standards. Without 
the foundation of an agency security program, risk management and business processes 
could be adversely affected. 


Information security is essential to any data system, and specific aspects of 
MAEFAIRS security were examined during this audit. While measures have been 
taken to address security within OPI, there are areas that should be strengthened, 
primarily concerning the security program. In the Information Technology Strategic 
Plan for OPI, the agency indicated it intends to align its security program with NIST 
standards. However, policies and procedures at both the organization and system-level 
that would be included in a security program, have yet to be developed. An integral 
piece of risk management, and essentially the security program, is an information 
security architecture. Information security architecture is a detailed road map that 
allows traceability from the highest-level strategic goals and objectives of organizations, 
through specific mission/business protection needs, to specific information security 
solutions provided by people, processes, and technologies. In order to assess whether 
information system security controls are consistent with the information security 
architecture, the agency must have this road map in place. If applicable, documented 
system-level plans that incorporate security policies and procedures specific to an 


information system are also required. 


A 


RECOMMENDATION #2 


We recommend the Office of Public Instruction develop an Information 
Security Program Plan, including information security architecture and agency 
policies, in accordance with state law and policy. 


LT 


Config uration Manag ement 


Configuration management is a process that tracks and manages all components of 
an information system. Components include services, hardware, software, buildings, 
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people, and formal documentation and cover everything from a single server to the 
entire information technology section within a department. Effective configuration 
management ensures an organization is making informed business decisions, 
performing correct actions, and providing reasonable assurance that changes to an 
information system are authorized and the system is configured and operating 
securely and as intended. In order to execute configuration management, best industry 
practices stress the importance of not only establishing a baseline configuration of the 
system, but also the subsequent control and maintenance of an accurate inventory 
of any changes made to that baseline. Proper documentation includes the recording 
of these authorized changes, along with policies, plans and procedures related to 
the organization’s configuration management. Configuration management works 
hand-in-hand with security management because any unauthorized change to the 
information system can have negative impacts to the security of that system and the 
information contained within. 


Change Controls 


During the audit, we identified controls to ensure the programming code for 
MAEFAIRS is secure and procedures are established for making modifications to 
code. Personnel from the School Finance Division in OPI meet during the summer to 
perform testing of MAEFAIRS in order to ensure the system is operating as expected. 
The testing protocol encompasses individual testers assigned as users with different 
school district roles, logging into the test environment of MAEFAIRS, and stepping 
through the screens to enter enrollment information. A testing guide is provided to 
the testers as a resource during the process. The group compiles notes on the results of 
testing, and meets several times over the course of two weeks to discuss progress. From 
this testing, a baseline configuration is established. Any changes to the MAEFAIRS 
baseline follows specific change control procedures. The change control process is 
illustrated in Figure 3 (see page 13). 


Figure 3 
Change Request Process for MAEFAIRS 


Change request » DEV to TEST » TEST to PROD 
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Source: Compiled by the Legislative Audit Division from OPI interviews. 


Any change request to MAEFAIRS must come from the administrator of the School 
Finance Division, or the immediate subordinate, the finance specialist supervisor. In 
addition, changes must be approved by one of these individuals. All emails exchanged 
for the purpose of a MAEFAIRS programming code change request are kept by the 
system developers. The history of change requests (development to test to production) 
is also documented by the developers and all parties involved have access to this 
information for review. The developers lock-down program code and can track any 
changes made back to the date/time and the individual programmer. 


a 
CONCLUSION 


The Office of Public Instruction has established procedures and controls 
regarding change management for the Montana Automated Educational 
Finance and Information Reporting System program code. 
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Documentation of Configuration 


While OPI has established a process and controls regarding MAEFAIRS programming 
changes, there is a lack of documentation supporting configuration management 
of MAEFAIRS. Industry standards, such as NIST, require that configuration 
management policies, plans, and procedures (entity wide, system, and application 
levels) not only be developed, but also documented and updated as applicable. Examples 
of documentation include employee roles/responsibilities, change control and system 
documentation requirements, establishment of a decision-making structure, and 


configuration management training. 


Another critical element to configuration management is the continued monitoring 
of the baseline configuration. Currently, for the school districts in Montana, there are 
three count dates for which information pertaining to their district must be entered 
into MAEFAIRS. It is primarily during these times that personnel from the School 
Finance Division take a closer look at functionality and operation of the system. These 
configuration examinations should be performed once before release, and routinely 
tested thereafter as indicated in a configuration management plan. While such 
monitoring is performed by School Finance Division staff, there is no documented 
agency policy instructing how often configuration examinations should occur. 
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RECOMMENDATION #3 


We recommend the Office of Public Instruction strengthen configuration 
management of the Montana Automated Educational Finance and Information 
Reporting System by documenting configuration management policies, plans, 
and procedures. 


TL 


Contingency Planning 


In the case of an outage where MAEFAIRS capabilities are either lost or compromised, 
OPI must be able to assure its customers that the system will be restored to 100 percent 
operability within a given amount of time. This time frame depends on the criticality 
of MAEFAIRS in regard to the mission of the agency. We inquired about whether 
the agency had developed a disaster recovery plan, and if not, their current progress in 
doing so. 


We noted OPI has taken steps in both developing a disaster recovery plan and testing its 
viability. OPI moved its equipment to the new Montana Data Center managed by the 
State Information Technology Services Division (SITSD). This provides improvements 


to the prevention of system outages, in addition to redundancy and recoverability with 
backup equipment located at the secondary data center in Miles City, Montana. In 
cooperation with SITSD staff, OPI scheduled and completed testing of the back-up 
capability between MAEFAIRS servers in both locations. The results from this test 
were positive in all aspects, and service did cut-over as expected to the secondary site. 


After further review of the disaster recovery plan for OPI, we noted the schedule for 
testing the disaster recovery plan, which includes the cut-over of services/applications 
to the Miles City Data Center, is not addressed. Industry standards do recognize that 
certain systems are not as critical in nature as others, but still require management 
to assess the risk of problems to the existing contingency plan and develop policy on 
the frequency and extent that testing should occur. If policy does not dictate how or 
how often disaster recovery testing should be completed, procedures could become 
outdated and/or not applicable. 


RECOMMENDATION #4 


We recommend the Office of Public Instruction further define the 
requirements of disaster recovery testing, including the frequency of tests, 
within its agency disaster recovery plan. 
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RECEIVED 


Ms. Tori Hunthausen, CPA MA 
Legislative Auditor R12 2015 
Legislative Audit Division LEGISLATIVE AUDIT DIV, 


PO Box 201705 
Helena, MT 59620-1705 


RE: MAEFAIRS Audit 
Dear Ms. Hunthausen: 


Following is our response to recommendations contained in the Office of Public 
instruction’s (OPI) Montana Automated Educational Finance and Information Reporting 
System (MAEFAIRS) audit report. 


Recommendation #1 

We recommend the Office of Public Instruction implement procedures for ensuring only 
authorized individuals have access to the Montana Automated Educational Finance and 
information Reporting System. 


OPI Response: We concur. The OPI will develop and document a procedure to review 
access to the Montana Automated Educational Finance and Information Reporting 
System on a regular basis and remove access that is no longer required. We have 
already conducted an initial review as a result of the audit finding and modified access 
for 16 users. 


Recommendation #2 

We recommend the Office of Public Instruction develop an Information Security 
Program Plan, including information security architecture and agency policies, in 
accordance with state law and policy. 


OPI Response: We concur. The OPI places the utmost importance on the security and 
privacy of data and data systems the agency uses in completing its mission. 
Furthermore, the OPI is committed to taking additional steps to comply with the 
security standards as described in state policy. 
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Significant turnover in the OPI security officer position has delayed progress on the OPI 
Security Program Plan. This position has recently been filled and this individual will be 
assigned the development and maintenance of the Plan. 


The security officer position also manages the day-to-day activities of assigning access to 
OPI systems. These activities represent a barrier to progress on developing an 
Information Security Program Plan as they take a significant portion of the security 
officer’s time. To mitigate this daily commitment, the OPI has hired a part-time 
temporary worker to help with the daily activities that will allow the security officer to 
devote more time to developing the Plan. 


The OPI will develop a plan that describes the steps and proposed timeline to comply 
with state policy. We will coordinate our activities with the Enterprise Security Program 
officer recently hired by SITSD. We anticipate that the plan will take six to nine months 
develop and that the tasks described in the plan will take multiple years to complete. 


Recommendation #3 

We recommend the Office of Public Instruction strengthen configuration management 
of the Montana Automated Educational Finance and Information Reporting System by 
documenting configuration management policies, plans and procedures. 


OPI Response: We concur. Within the next 6 months, the OPI will document the 
processes and procedures currently in place and develop an agency policy that enforces 
the use of the documented procedures. 


Recommendation #4 

We recommend the Office of Public Instruction further define the requirements of 
disaster recovery testing, including the frequency of tests, within its agency disaster 
recovery plan. 


OPI Response: We concur. The OPI has updated the existing Disaster Recovery plan to 


state that we will conduct the disaster recovery test annually. 


Sincerely, 


ie 


Denise Juneau 
Superintendent of Public instruction 


